Amazon, Apple security measures factors in journalist's hacked iCloud account

2

Comments

  • Reply 21 of 47
    hill60hill60 Posts: 6,992member


    Here's what I posted in the earlier thread on this:-


     


     



     


    Quote:


    Originally Posted by hill60 View Post



    I'd like to know more about the "social engineering" as I suspect it would involve identity theft.

    "This is my name, my date of birth, my home address, my phone number, my email address, I've forgotten my password and my questions don't work, can you help me out here, is there any more information I need to give you?"

    I doubt Apple reps (like anyone else working for a holder of secure information) would have access to credit card and social security numbers, maybe the last 3 or 4 digits but not the whole number.

    It will be interesting to see what this "social engineering" involved.



     



     


    Seems I was pretty dead on.


     


    Now there has to be a balance between when to give someone what is rightfully theirs and when to withhold it, it's a matter of convenience, how much of your private information should customer service reps have access to, how much should you have to give them to get what is yours?


     


    The weak link was Amazon with the credit card details and Google with the email address details, without those the "hacker" would have got nowhere.


     


    My iCloud account is safe due to the simple fact that I have never used Amazon and have never given them CC details.


     


    I have also not used a .me.com address with gmail besides which I have separate Apple ID's for iTunes and iCloud.


     


    Surprisingly Microsoft has come up with a fairly good new service, outlook.com where you can set up an exchange based email account and assign multiple aliases for various purposes, I've added  a few to the ten or so email addresses, most of them unused a "hacker" would have to unravel to get to my iCloud.

  • Reply 22 of 47

    Quote:

    Originally Posted by nagromme View Post

    All very scary. I have shut off Find My [Device] for now.


     


    As someone else points, "Find My [Device]" is perfectly okay to have, but remote wiping of a device should be accompanied by PIN settings beforehand.


     


    Quote:

    Originally Posted by diplication View Post

    Also, is it painful when someone attacks your google?


     


    My doctor prescribed me two Instagram to get me through the pain and asked me to call him in the morning.


     


    Quote:

    Originally Posted by djkikrome View Post


    Why blame Amazon OR Apple.  Blame yourself, dumbass, for putting your life out there on the internet and then being surprised that there was a repercussion.  You are a dumbass and that is the one and only problem in your life and the systems which within you operate.


     


    Just like others in the world, can't accept responsibility for their own actions.  You put yourself in traffic, then expect to get hit.



     


    This is a blame-the-victim response.  He was attacked for the simple crime of having a three-character Twitter account, not because he was a public figure.  For everything else, if you read the article, he does go into a lot of self-hate.  But I think he has a very valid point--if identity verification is done with information that's available in the public domain, how can it ever be secure?

  • Reply 23 of 47
    hill60hill60 Posts: 6,992member

    Quote:

    Originally Posted by blewharvest View Post





    How does one contact this "Google Customer Support" you speak of?


     


    I've helped a few people who had forgotten their gmail password for their Android phones, basically you answer a few questions on a web based form and they say they will get in touch in a few days.

  • Reply 24 of 47
    hill60hill60 Posts: 6,992member

    Quote:

    Originally Posted by LoopyChew View Post

    ...if identity verification is done with information that's available in the public domain, how can it ever be secure?


     


    The partial credit card details are NOT in the public domain, an Amazon account had to be accessed to obtain them.


     


    Without that specific information this would not have worked.


     


    The reason it's the last four numbers?


     


    So no-one working for a company has access to the full number.

  • Reply 25 of 47
    asdasdasdasd Posts: 5,312member


    Mostly the fault of Amazon. Apple can say that the last four digits is their fall back if security questions are forgotten - as they often are. Clearly that is a problem if someone has your credit card. That was always the case, and it is compliant with industry standards. So... well they may have to change. 

  • Reply 26 of 47
    hill60hill60 Posts: 6,992member

    Quote:

    Originally Posted by BuffyzDead View Post


    I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.


     


    Apple should adopt immediately



     


    ...say someone got access to your cellphone account details, walked into a store and did a SIM swap?


     


    "I've lost my phone and need a new SIM"


     


    Put SIM in any other phone, "SEND A CODE TO MY iPHONE" and BAM, they are in.


     


    Meanwhile you are left wondering why your phone stopped working.

  • Reply 27 of 47
    bageljoeybageljoey Posts: 1,755member
    flaneur wrote: »
    No you're not paranoid, or if you are I am too. There are a few fishy things about the story besides the Giz connection. The Wired connection, the Google non-connection, the tear-jerk detail about the daughter's whole life in pictures (a red herring?), the too-perfect stupidity of having no backup, the talkative Phobia, the eagerness not to press charges. If you wanted to rain on Apple's iCloud party . . .
    Google has customer support?

    I agree completely. In fact, the Gizmodo connection is the least interesting point for me. It is the fact that the hacker picked this journalist well placed to publicize the hack, did serious harm (erasing data, not just changing passwords and announcing "I'm here") and then contacted him and explained everything to make Apple and Amazon look bad. It just seems too pat.
    Not to say that this "hack" I isn't a problem, but the story just seems to cute...
  • Reply 28 of 47
    vaelianvaelian Posts: 446member

    Quote:


    Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.



     


    Sometimes I wonder whether people think their ideas through.  You login to iCloud to use Find My iPhone, iCloud sends a message to the stolen phone?  Good luck getting both your iCloud account AND your phone back now!  Perhaps you should call your carrier and have the number reassigned to a new phone (or a new card mailed), but what if the information they have on record for you is outdated?  Oops, now you've lost your phone, your phone number, AND your iCloud account because of a problem that would have never actually existed if you had not published personal information online!  Blaming the service providers for this is simply retarded!  Rent a PO Box if you absolutely must have an address published for the world to see!

  • Reply 29 of 47
    jragostajragosta Posts: 10,473member
    I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

    No, you're not the only one. I stated earlier that the fact that they apparently never reported this to the authorities to try to get the guy arrested suggests that it's an inside job.
    hill60 wrote: »
    Now there has to be a balance between when to give someone what is rightfully theirs and when to withhold it, it's a matter of convenience, how much of your private information should customer service reps have access to, how much should you have to give them to get what is yours?

    The weak link was Amazon with the credit card details and Google with the email address details, without those the "hacker" would have got nowhere.

    My iCloud account is safe due to the simple fact that I have never used Amazon and have never given them CC details.

    I have also not used a .me.com address with gmail besides which I have separate Apple ID's for iTunes and iCloud.

    Surprisingly Microsoft has come up with a fairly good new service, outlook.com where you can set up an exchange based email account and assign multiple aliases for various purposes, I've added  a few to the ten or so email addresses, most of them unused a "hacker" would have to unravel to get to my iCloud.

    Re the bolded:
    That's the fundamental issue. If Apple required the entire credit card, then there would be complaints that the customer service reps have access to your credit card info. If everyone chose a different 4 digits of the credit card, a hacker could eventually get the full card number by assembling information from different sources. The more private information you require, the more secure, but at the expense of requiring more private information to become available to companies you do business with.

    There's no doubt that there are flaws in the system and the system could be improved. But it's not a trivial matter like some people are suggesting - the entire system has a problem. In the end, no matter where you set the balance between security and privacy, someone is going to be unhappy. Until there's a new technology (perhaps some truly foolproof biometric if that could be developed), someone is going to be unhappy.

    It is, of course, interesting that when this article came out, Apple was the one attacked. Later, Amazon was added to the mix, but Google (along with the millions of other companies who do the same thing as Apple and Amazon and Google) was left out.
  • Reply 30 of 47
    mcrsmcrs Posts: 172member


    The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in? Is this Mat Honan, being an IT writer tha he is, seems intelligent enough to you? The fact that he didn't back up his important data off-line someplace actually qualifies him to become an idiot who possibly didn't practice what he preached, i.e. backup your data- backup your data- backup your data. And, of course, as many people do, to make things worse, he chooses an easier and a lazy way to choose an email address, that is using [email protected] If you use that lazy email naming address as one of the key info's to get in to a very secured site, you'll be in for some nasty surprises. So, you figured it's Google's fault that the ID thief guessed this Mat Noman uses his personal name for his alternate email address for email recovery. He could've used [email protected], and that would be enough to save him from his ordeal.


     


    Personally, to prevent unauthorized access to any important and highly secured sites, I would not use the lazy email addressing scheme which apparently many seems to be very fond of doing. It's an accident waiting to happen. It's good that this idiot Mat Noman's incident had occured. It will definitely open so many eyes about the possibility of so-called "social-engineering" for gaining access to secured sites due to users' laziness or indifferent attitudes about the possibility of identity thefts and all the disaster which will follow.


     


    Quote:

    Originally Posted by Rayz View Post


     


    The partial email they got from Google was enough, just as having only part of his credit card was enough.\


  • Reply 31 of 47
    lilgto64lilgto64 Posts: 1,147member


    On the flip side - one of my store credit cards has removed the ability to reset a password via their website and I was unsuccessful in getting any assistance from the help desk number provided on the web page - and when I try to re-register I am unable to because it says I am already registered. And no password I have ever used for anything seems to work for that site. The help desk suggested I send an email to their account services team which I have done twice with no response. The account has not been compromised and I can still use the card and can still call the phone number to get balance and payment date etc - but I cannot do anything with the account online. It would seem my only option is to close the account, wait a bit, and then open a new one. 


     
  • Reply 32 of 47
    charlitunacharlituna Posts: 7,215member
    have one specific CC for online purchases (only) and a yahoo account for dealing with online transactions only and a .me/mac email address for all other personal email...I'm sure there is more one can do....

    That's the stuff that got him into trouble. It's more like 'don't use a domain registrar that displays billing addresses, or don't use your real one', 'don't use the sme credit card on every site', 'don't use your freaking name as your email' and most important 'don't forget to back your stuff up'

    We don't know what policy was overlooked by Apple but in the end is that as important as the fact that he had linked up his accounts as he did or that other companies make it so easy to get the vital info. If Googje hadn't shown his email address even partly blanked it would have spotted things dead even. And yet everyone is yelling about Apples blame and policies and this vague comment.
  • Reply 33 of 47
    charlitunacharlituna Posts: 7,215member
    deadpeanut wrote: »
    You're paranoid. The article is about Amazon and Apple because their customer care let him down.

    Once they had full control of the Apple account they then used it to attack his google.

    The whole thing started with the fact that they knew his apple id because google exposed it. So yes, they share the blame
  • Reply 34 of 47
    charlitunacharlituna Posts: 7,215member
    deadpeanut wrote: »
    I wouldn't call your post an attack.

    The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

    Google wasnt tricked because they gave out the info so they didn't have to be tricked. So yes that exposed email is part of the issue.

    Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

    Those tools aren't mandatory, which is why Honan wasn't using them. That Google makes them optional adds to their part in the shared blame
  • Reply 35 of 47
    charlitunacharlituna Posts: 7,215member
    mcrs wrote: »
    The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in?

    If a thief doesn't know your address he can't come steal from you. And this attack was personal. So with that partial address they would have been dead in the water.
  • Reply 36 of 47
    rayzrayz Posts: 814member

    Quote:

    Originally Posted by mcrs View Post


    The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in?



     


    Yes, that does read a little bit strangely. I'll try again.


     


     


     


    Quote:


    The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff,



     


    What I meant was that all that was needed was a piece of the information from each company to form the whole 'key' to this person's life. It was the parts that were the problem. No single part would have been enough to allow the break-in, but each company and the user did not consider these pieces being used together.


     


    Amazon shouldn't be handing over partial credit card numbers


    Google shouldn't be handing over partial recovery email addresses


    Apple shouldn't be relying on publicly known details as a security check (though we don't know what procedures weren't followed).


    Mat shouldn't have been such an idiot.


     


    Take any one of those out the equation and the 'hack' wouldn't have worked half as well.


     


     


     


    Quote:


    Is this Mat Honan, being an IT writer tha he is, seems intelligent enough to you? The fact that he didn't back up his important data off-line someplace actually qualifies him to become an idiot who possibly didn't practice what he preached, i.e. backup your data- backup your data- backup your data. And, of course, as many people do, to make things worse, he chooses an easier and a lazy way to choose an email address, that is using [email protected] If you use that lazy email naming address as one of the key info's to get in to a very secured site, you'll be in for some nasty surprises. So, you figured it's Google's fault that the ID thief guessed this Mat Noman uses his personal name for his alternate email address for email recovery. He could've used [email protected], and that would be enough to save him from his ordeal.


     


    Personally, to prevent unauthorized access to any important and highly secured sites, I would not use the lazy email addressing scheme which apparently many seems to be very fond of doing. It's an accident waiting to happen. It's good that this idiot Mat Noman's incident had occured. It will definitely open so many eyes about the possibility of so-called "social-engineering" for gaining access to secured sites due to users' laziness or indifferent attitudes about the possibility of identity thefts and all the disaster which will follow.




     


    Why are you ranting? Most people agree with you. Most people know more about online security that Mat, it would seem.


     


    In fact, I find it so hard to believe that a 'tech journalist' had no backups that I'm inclined to think that this is a setup.

  • Reply 37 of 47
    jlanddjlandd Posts: 873member


    Regardless of all of the other details here, it's disconcerting that all that is required to get a new temporary ID is the user's billing address and the last four digits of their credit card.  If you're sitting in front of someone's computer while it's logged on half the time you can go into their email, doesn't take a genius just the opportunity.  If you know the address and steal a glance at their card that's all it takes to hijack an account and in minutes many of their accounts.   


     


    I'm not thinking of any grand underworld hacking scheme.  I'm thinking about the time years ago I went to the bathroom and came back and found the painter at my laptop.  He gave some lame excuse and slinked away, and I figured he couldn't have done much, he couldn't have compromised any accounts, nothing logged on automatically and he had no passwords.  If I hear of such a story today I'll think differently.

  • Reply 38 of 47

    Quote:

    Originally Posted by Rayz View Post


     


    The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff, but the hacker used the rather bizarre security procedures from all three companies to engineer a perfect storm. And if this had happened to a regular fella then I'd be more sympathetic, but even regular fellas have enough about them to back up their important data. He also bears some responsibility for linking so much of his private information to his public persona.


     


    Trying to stick Apple, Amazon or Google with the blame for this is just hiding a much bigger problem: personal information being linked across sites means that hackers can pretty much own you with just a few clicks. This is where we have to be a little bit smarter to protect ourselves.


     


    Unlike Mat.


     


     


    Yes, because they didn't need to call customer support to get the information they needed from Google. It was right there on a web page.



     

    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }

    Thank you.  These people seem to think Google is a do no wrong because they give them stuff for free.  Wait until they get hacked and you find our all the info they really store on each of us. 


    #next_pages_container { width: 5px; hight: 5px; position: absolute; top: -100px; left: -100px; z-index: 2147483647 !important; }

     
  • Reply 39 of 47


    Why does Apple only require the last 4 digits of your CC number to verify your account?  In addition to other sources, those show up on paper receipts all the time... perfect puzzle piece for social engineering schemes, especially when you know the victim in person. So many people are careless with CC receipts.


     


    The whole "customer service reps would have to have access to the whole number" thing doesn't make any sense.  Just:


    1. Rep asks for your full CC number


    2. Rep types in what you say


    3. Computer responds to rep with "yes it matches" or "no it doesn't"


     


    or even better


     


    1. Rep says "I'm going to pass you on to our computerized verification system"


    2. Computerized voice asks for your full CC number


    3. You type it in with your touch-tone phone


    4. You get passed back to the rep, who is told by the computer whether you typed in the right number or not


     


    As a whole though, this shows a huge new problem: how various accounts with different companies interact, each disclosing different little bits of information and each requiring different bits to get in.  The only way to solve this is with a law or at least a universal policy adopted by the industry as a whole specifying (1) what information it takes to get full control of an account, (2) what information can be disclosed to someone who doesn't have full control of an account and (3) what actions can be taken by someone who doesn't have full control of an account.  Without this, it'll be impossible to ever figure out all the various interactions between companies and it'll turn into a never-ending cat and mouse game of attacks and policy changes.  The current process of daisy-chaining accounts off each other for recovery purposes is a disaster waiting to happen.  If (1) is well thought out, it'll be hard for an attacker to put together from public information, plus if it's standardized people will know what specifically to keep secret.


     


    Ultimately down the road, we need a better way. Military/secret service security specialists have known for a long time that for ultimate authentication you need three things:


    1) something you know (ie password)


    2) something you have (ie physical key)


    3) something you are (ie fingerprint)


     


    I don't understand why in this day and age, we're still so centered around "something you know".  Password, billing address, CC number, mother's maiden name are all things someone with malicious intent could find out. As our lives depend more and more on our accounts, we need to do better....

  • Reply 40 of 47
    maestro64maestro64 Posts: 4,599member


    Plain and simple and I said this before to all those who think there is nothing wrong with putting their life out on the web. This is what happens, it is not Apple or Amazon's fault. It was Honan fault, he made it easy for them to hack him. Hacker are smart people so if you put all your information out there and they can located it and piece together what they need.


     


    This should be a lesson to anymore who thinks it okay to put all their personal information out on the web.

Sign In or Register to comment.